UK, US able to crack most encryption used online

Summary:By weakening encryption standards, inserting vulnerabilities into vendors' technology, and using supercomputer-backed password crackers, the US and the UK are able to break encryption used to back technologies like SSH, HTTPS, and VPNs.

Spy agencies in the UK and the US are reportedly able to crack the same encryption used online to routinely secure information.

The reveal is the latest part of the cache of documents leaked by former US Defence contractor Edward Snowden. According to The Guardian and The New York Times, the US National Security Agency and the UK counterpart, the Government Communications Headquarters (GCHQ), have been working to ensure that encryption has been undermined in three broad ways. The methods used by the spy agencies are controlling international encryption standards; working with technology companies and online service providers to insert weaknesses in technology and software; and the use of supercomputer brute force encryption keys.

The US program around vulnerability insertion targets "commercial encryption systems, IT systems, networks, and endpoint communications devices". It has been called the SIGINT (Signals Intelligence) Enabling Project, and is reported to be a US$250 million a year initiative.

The US documents also outline where the NSA expects its capabilities to be for the 2013 financial year. These include achieving full SIGINT access to an unnamed, but "major communications provider", as well as a "major peer-to-peer voice and text communications system".

The UK documents around its "BULLRUN" system are more general, and note that its US ally has been leading the charge against "defeating network security and privacy". Its decryption efforts appear to focus mostly around network communications, and the program is run from its Penetration Target Defences (PTD) division.

"The various types of security covered by BULLRUN include, but are not limited to, TLS/SSL, https (eg, webmail), SSH, encrypted chat, VPNs, and encrypted VoIP."

Analysts using the BULLRUN system are required by GCHQ to be kept in the dark, noting that they should not necessarily be told how the data they are working on was acquired.

"Access to BULLRUN does not imply any 'need-to-know' the details of sources and methods used to achieve exploitation, and, in general, there will be no 'need-to-know'," the UK document says.

Ironically, the UK document emphasises that the existence of BULLRUN must never be known.

"Any admission of 'fact of' a capability to defeat encryption used in specific network communication technologies or disclosure of details relating to that capability must be protected by the BULLRUN [community of intelligence] and restricted to those specifically indoctrinated for BULLRUN."

France, Australia, and New Zealand appear to be lagging behind the UK's efforts, as the UK document indicates that they are only expected to introduce BULLRUN at a later date.